Genetic/Medical information disclosed for research purposes
The Health Insurance Portability and Accountability Act (HIPAA) and the California Medical Information Act (CMIA) both address how medical information may be shared and used for research purposes. However, different laws will apply when research is conducted on human subjects because of the ethical concerns it raises.
HIPAA requires researchers to obtain authorization to use your identifiable medical information for research purposes. You must give your signed permission stating that the researcher may use your information, but only for a specific project described in the agreement and only until the project’s stated expiration date.
Researchers may obtain a single authorization for both “conditioned” research (where treatment in a clinical trial is conditioned on receiving your authorization) and “unconditioned” research (research not related to treatment). Authorizations may be for a specific study, or encompass a range of future research projects if the authorization you are asked to sign adequately describes such research.
You may have additional protections when researchers use your identifiable information, but it will depend on specific regulations governing the agency responsible for the data. For example, the Agency for Healthcare Research and Quality (AHRQ) funds and oversees a great deal of health research by public and private organizations. AHRQ, its contractors, and its grantees may only use identifiable data for the specific purpose to which you have consented. (42 U.S.C. § 299c-3(c))
Your medical information may be used for research without your consent in the following situations:
- The medical information has been de-identified according to HIPAA standards. This means that 18 specific identifiers have been removed—including name, Social Security number, photos, and unique characteristics. When information has been de-identified according to this standard, there are no limits on how it may be used and disclosed. (45 CFR § 164.514) However, there is nobody certifying or monitoring whether the standard has been met.
- It is a limited data set, meaning that most identifiers are removed. However, the data set may still include dates of admission or discharge from a hospital; dates of medical treatment; date of birth and death; age (including 90 or older, which would limit the population pool from which the data could be re-identified); and a five-digit ZIP code, along with state, county, city, or precinct, but not your actual street address. The researcher and your health care provider—but not you—must also have a written agreement that covers all permitted uses of the data. (45 CFR § 164.514)
- The Institutional Review Board (IRB) (an independent ethics board) or Privacy Board has determined that the project presents minimal risk to privacy, that procedures are in place to protect identifiable information, and that the research could not be done without identifiable information. (45 CFR § 164.512(i)(1)(i)
See the HHS publication “Research” for more information on how the HIPAA Privacy Rule applies to research.
California’s Confidentiality of Medical Information Act (CMIA) allows disclosure of individual medical information for bona fide research purposes to public agencies, clinical investigators (including those conducting epidemiologic studies), health care research organizations, and accredited public or private nonprofit educational or health care institutions. The CMIA prohibits disclosure beyond the purpose of the research in any way that would reveal the identity of a subject. (Cal. Civ. Code § 56.10(c)(7))
Research on human subjects
Research that is conducted on human subjects is another matter. Separate federal regulations govern biomedical and behavioral research ethics. These include “The Common Rule” and the Food and Drug Administration’s (FDA) regulations on protecting human subjects. (The Common Rule, 45 CFR § 46(A); the FDA regulations are at 21 CFR §§ 50, 56)
Research on human subjects requires authorization and informed consent. In other words, you must sign an agreement and have the information you need to understand the research project. In particular, you must understand the risks and benefits of the project.
An informed consent agreement must tell you:
- the purpose of the research;
- the procedures involved;
- alternatives to participation (for example, is there a non-experimental drug or treatment available for the condition being studied?);
- all foreseeable risks and discomforts, including physical injury, and possible psychological, social, or economic harm, discomfort, or inconvenience;
- possible benefits of the research to you and society;
- how long you are expected to participate;
- a contact for answers to questions and in case of a research-related injury or emergency;
- that participation is voluntary and there are no consequences or possible loss of any benefits you are entitled to receive if you do not participate;
- your right to confidentiality; and
- your right to withdraw at any time without consequences.
An IRB, also known as an independent ethics board, may waive one or more of these requirements if it would make the project impractical or impossible to do. An IRB may also waive a requirement if it does not apply to a particular project.
The California Attorney General’s Office has an “Experimental Research Subject’s Bill of Rights” that replicates the federal informed consent requirements. (See also Cal. Health & Safety Code § 24172)
If you ever consider participating in a medical study or clinical trial, you may want to read more about how your information may be used and any rights you have. HHS has a publication on the Common Rule as it applies to research titled “Federal Policy for the Protection of Human Subjects (‘Common Rule’).”
The National Institutes of Health (NIH) compares the HIPAA research requirements to the HHS and FDA regulations for the protection of human subjects: “How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?” The University of Southern California also has a very readable pamphlet titled “Informed Consent in Human Subjects Research.”
The past decade has seen a dramatic rise in the number and diversity of biobanks in the US, from academic institutions to research institutes and hospitals. The rise of genomics and large-scale gene-environment studies have led biobanks to play an increasingly important role in biomedical research.
There are over a thousand biobanks currently operating in the US, and nearly 50 percent of these banks said, when surveyed, that the main biomolecule that they store is DNA. In total, these banks may house from tens of millions to over 50 million samples, by far the largest portion of these are being used for cancer research, which is followed by biospecimens stored for neurological diseases like Alzheimer’s and HIV/AIDS.
Biobanks raise many privacy questions, from policies governing data sharing and security, privacy and the identifiability of genomic information, how and when to return research results and incidental findings, how governance structures function at genomic repositories, and informed consent issues caused by the multiple uses for samples by genome researchers.
There currently are few specific guidelines and laws that specifically govern biobanks and biorepositories. Human subject research regulations do, and material transfer agreements and commercialization rules fall under certain federal regulatory guidance, but none are specific to biobanks.
In some ways, the biobanking and biorepository boom has created a “Wild West” landscape that will require new and tailored regulations.